Re: [liberationtech] AdLeaks - a whistleblowing platform
Il 6/23/13 2:53 PM, Jens Christian Hillerup ha scritto: Quickly noting that I'm not affiliated with AdLeaks, just passing on the information. On Sun, Jun 23, 2013 at 1:56 PM, Andrea St and...@gmail.com mailto:and...@gmail.com wrote: it sounds different from globaleaks project. Am i right? Yes. GlobaLeaks seeks to establish an open-source version of the submission system of Wikileaks such that any and everyone can make their own leaks site. The core development team of GlobaLeaks is also on this list, so I'll let them describe it further. GlobaLeaks mission is to be a framework with support for different digital whistleblowing workflow and security threat model. The AdLeaks concept is very cool (http://arxiv.org/abs/1301.6263), even if it appear to me very difficult to be deployed and used in a real world scenario: See 6.1 (submission duration), it would keep the whistleblower 21 days to upload a single 2MB file. Passive traffic analysis with correlation of timing/size/destination is *extremely difficult and unlikely* to be easy to be protected without awareness and actions of the whistleblower (like using an open wifi, an internet caffè, using Tor from another persons communication line, etc) . For a whistleblowing project we're working on, we are going to develop a Widget to support covert-traffic generation: https://github.com/globaleaks/GlobaLeaks/issues/263 This will work with inclusion into the websites of all the partners's website of this whistleblowing inititives. This does not guarantee protection to the whistleblower doing submission. Our widget for covert-traffic is specifically designed only to provide some additional aid in some specific case we've discussed (and that should be better documented in TM). It help for Whistleblowers that access a submission site from their corporate/governmental networks, trough proxy servers that save detailed access logs. In context where Whistleblowers are prevented from doing a submission (because hind a proxy) but can access it. In such context the WB will leave trace that maybe interpreted like he intended to do a submission, but then he haven't done . If in the Enterprise/Government organization's proxy logs, there are traces of thousands of users connecting to the submission interface (due to the Widget being embedded in third party popular websites), there will not be a single, incriminating log entry generated by the unaware/unconscious whistleblower, but thousands of them making slightly more difficult the analysis. Supporting covert-traffic generation it's something that help, but doesn't fix the real problem that i think *require* Whistleblower awareness. Anyhow i'm excited to meet at OHM2013 the AdLeaks team and do a brainstorming on it! :) -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] AdLeaks - a whistleblowing platform
We designed the AdLeaks system to work with partners who embed AdLeaks ads or AdLeaks bugs into their web pages. Our ads contain code that encrypts an empty message with the AdLeaks public key and sends the ciphertext back to AdLeaks. This happens on all users' web browsers. A whistleblower's browser substitutes the ciphertext with encrypted parts of a disclosure. The protocol ensures that an adversary who can eavesdrop on the network communication cannot distinguish between the transmissions of regular browsers and those of whistleblowers' browsers. AdLeaks ads are authenticated so that a whistleblower's browser can tell them apart from other code. Consequently, whistleblowers never have to navigate to any particular site to communicate with AdLeaks once our ads are sufficiently widespread. http://www.adleaks.org/how.html -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] AdLeaks - a whistleblowing platform
it sounds different from globaleaks project. Am i right? 2013/6/23 Julian Oliver jul...@julianoliver.com ..on Sun, Jun 23, 2013 at 10:15:13AM +0200, Jens Christian Hillerup wrote: We designed the AdLeaks system to work with partners who embed AdLeaks ads or AdLeaks bugs into their web pages. Our ads contain code that encrypts an empty message with the AdLeaks public key and sends the ciphertext back to AdLeaks. This happens on all users' web browsers. A whistleblower's browser substitutes the ciphertext with encrypted parts of a disclosure. The protocol ensures that an adversary who can eavesdrop on the network communication cannot distinguish between the transmissions of regular browsers and those of whistleblowers' browsers. AdLeaks ads are authenticated so that a whistleblower's browser can tell them apart from other code. Consequently, whistleblowers never have to navigate to any particular site to communicate with AdLeaks once our ads are sufficiently widespread. http://www.adleaks.org/how.html Very smart approach. Congrats. -- Julian Oliver http://julianoliver.com http://criticalengineering.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Andrea Stroppa http://huffingtonpost.com/andrea-stroppa @andst7 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] AdLeaks - a whistleblowing platform
Quickly noting that I'm not affiliated with AdLeaks, just passing on the information. On Sun, Jun 23, 2013 at 1:56 PM, Andrea St and...@gmail.com wrote: it sounds different from globaleaks project. Am i right? Yes. GlobaLeaks seeks to establish an open-source version of the submission system of Wikileaks such that any and everyone can make their own leaks site. The core development team of GlobaLeaks is also on this list, so I'll let them describe it further. This project, on the other hand, cleverly uses how every internet user is exposed to ads on a daily basis. The people designing some web page with ads (say a news site) can then choose to make it sort-of AdLeaks-boosted. For a regular visitor to the news site, their browser will encrypt a block of red herring data (no content of interest), but if a whistleblower comes by they have the chance to encrypt not red herring but the content that they want to leak. The thing is that an adversary that is able to monitor the traffic to the news site will not be able to distinguish between leaks and noise, since it won't have the decryption key. In short: having *all* visitors to the site encrypt and submit *something* is the novelty in this approach. JC -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
